b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                          Full Compliance With Trusted\n                      Internet Connection Requirements Is\n                      Progressing; However, Improvements\n                           Would Strengthen Security\n\n\n\n                                      September 17, 2013\n\n                              Reference Number: 2013-20-107\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number / 202-622-6500\n E-mail Address / TIGTACommunications@tigta.treas.gov\n Website        / http://www.treasury.gov/tigta\n\x0c                                                 HIGHLIGHTS\n\n\nFULL COMPLIANCE WITH                                 activity on TIC equipment, had not completed\nTRUSTED INTERNET CONNECTION                          actions to fully implement TIC requirements for a\nREQUIREMENTS IS PROGRESSING;                         Data Loss Prevention program, did not have\nHOWEVER, IMPROVEMENTS WOULD                          sufficient staff with the required security\n                                                     clearance and proper locations for handling\nSTRENGTHEN SECURITY\n                                                     classified information, and was not regularly\n                                                     scanning TIC equipment to ensure timely\nHighlights                                           discovery and mitigation of vulnerabilities or\n                                                     misconfigurations.\nFinal Report issued on                               WHAT TIGTA RECOMMENDED\nSeptember 17, 2013\n                                                     TIGTA recommended that the Chief Technology\n                                                     Officer ensure that the IRS: 1) implements the\nHighlights of Reference Number: 2013-20-107\n                                                     capture and review of administrator activity on\nto the Internal Revenue Service Chief\n                                                     TIC devices; 2) fully implements the selected\nTechnology Officer.\n                                                     tool for the Data Loss Prevention program upon\nIMPACT ON TAXPAYERS                                  successful testing; 3) obtains Top Secret\n                                                     Sensitive Compartmented Information\nThe Trusted Internet Connection (TIC) initiative     clearances for IRS operational employees who\nis one of the Administration\xe2\x80\x99s three priorities to   can receive and react to classified information\nimprove cybersecurity and the security of            on a 24/7 basis; 4) completes implementation\nFederal information systems. The TIC initiative      of proper locations for handling classified\naims to improve agencies\xe2\x80\x99 security posture and       information at TIC locations; 5) implements\nincident response capabilities through enhanced      vulnerability and configuration management\nmonitoring and situational awareness of all          scanning on TIC equipment and mitigates\nexternal network connections. The IRS has            reported findings; and 6) updates all TIC\nprogressed steadily towards implementing TIC         equipment to the most current operating\nrequirements; however, additional improvements       systems approved for use within the IRS.\ncould strengthen the security posture of its TICs.\nSecurity weaknesses within these TICs could          The IRS agreed with all of our recommendations\nexpose taxpayer data to unauthorized access or       and has planned appropriate corrective actions\nloss.                                                to address them. The IRS plans to implement\n                                                     audit logging and review administrator activity on\nWHY TIGTA DID THE AUDIT                              TIC devices. The IRS also plans to fully\n                                                     implement TIC requirements related to Data\nThis audit was included in our Fiscal Year 2013\n                                                     Loss Prevention, obtain security clearances for\nAnnual Audit Plan and addresses the major\n                                                     operational employees, and complete\nmanagement challenge of Security for Taxpayer\n                                                     implementation of proper locations for handling\nData and Employees. The objective of this audit\n                                                     classified information at TIC locations. In\nwas to evaluate the IRS\xe2\x80\x99s three TICs to ensure\n                                                     addition, the IRS plans to implement\nthat the connections comply with Department of\n                                                     vulnerability scanning on TIC equipment and\nHomeland Security requirements. The\n                                                     update all TIC equipment to the most current\nAdministration expects Federal agencies to\n                                                     operating systems.\nachieve 100 percent compliance with TIC\nrequirements by Fiscal Year 2014.\nWHAT TIGTA FOUND\nAlthough the IRS has made good progress\nimplementing the TIC requirements, our review\nrevealed areas where improvements could\nstrengthen the security posture of the TICs. For\nexample, the IRS was not logging administrative\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 17, 2013\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Full Compliance With Trusted Internet\n                             Connection Requirements Is Progressing; However, Improvements\n                             Would Strengthen Security (Audit # 201320005)\n\n This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s three Internet\n connections to ensure compliance with the Department of Homeland Security requirements for\n Trusted Internet Connections. This review is part of the Treasury Inspector General for Tax\n Administration\xe2\x80\x99s Fiscal Year 2013 Annual Audit Plan and addresses the major management\n challenge of Security for Taxpayer Data and Employees.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix IV.\n Copies of this report are also being sent to the Internal Revenue Service managers affected by the\n report recommendations. If you have any questions, please contact me or Alan R. Duncan,\n Assistant Inspector General for Audit (Security and Information Technology Services).\n\x0c                                           Full Compliance With Trusted\n                                 Internet Connection Requirements Is Progressing;\n                                However, Improvements Would Strengthen Security\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 3\n          Full Compliance With Trusted Internet Connection\n          Requirements Is Progressing......................................................................... Page 3\n          Additional Improvements Would Strengthen Security ................................. Page 4\n                    Recommendations 1 through 3:........................................... Page 8\n\n                    Recommendations 4 through 6:........................................... Page 9\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 10\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 12\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 13\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 14\n\x0c                     Full Compliance With Trusted\n           Internet Connection Requirements Is Progressing;\n          However, Improvements Would Strengthen Security\n\n\n\n\n                    Abbreviations\n\nDHS           Department of Homeland Security\nDLP           Data Loss Prevention\nIRS           Internal Revenue Service\nOMB           Office of Management and Budget\nSCIF          Sensitive Compartmented Information Facility\nTIC           Trusted Internet Connection\nUS-CERT       United States Computer Emergency Response Team\n\x0c                                      Full Compliance With Trusted\n                            Internet Connection Requirements Is Progressing;\n                           However, Improvements Would Strengthen Security\n\n\n\n\n                                            Background\n\nIn November 2007, the Office of Management and Budget (OMB) issued Memorandum\nM-08-05, Implementation of Trusted Internet Connections (TIC), which introduced the TIC\ninitiative, one of the Administration\xe2\x80\x99s three priorities1 for improving cybersecurity and the\nsecurity of Federal information systems. The primary\ngoals of the TIC initiative are (1) to consolidate and\n                                                                      The TIC initiative is an\nsecure Federal agency external connections using a\n                                                                    Administration priority for\ncommon set of security controls and (2) to improve the\n                                                                     improving the security of\nFederal Government\xe2\x80\x99s incident response capability. To\n                                                                   Federal information systems.\nachieve these goals, the initiative has the following\nobjectives:\n    \xef\x82\xb7   Reduce and consolidate external connections, including connections to the Internet,\n        across the Federal Government.\n    \xef\x82\xb7   Define and maintain baseline security capabilities at TIC access points.\n    \xef\x82\xb7   Establish a compliance program to monitor agency adherence to TIC policy.\nThe Administration expects executive branch departments and agencies to achieve 100 percent\ncompliance with TIC requirements by the end of Fiscal Year2 2014. In Memorandum M-08-27,3\nthe OMB stated that to be considered compliant with the TIC initiative, Federal agencies that\nimplement TICs must:\n    \xef\x82\xb7    Comply with the capabilities published by the OMB as part of the TIC initiative.4\n    \xef\x82\xb7    Continue the reduction and consolidation of external network connections.\n    \xef\x82\xb7    Participate in the National Cyber Protection System5 program.\n\n\n1\n  The other two are continuous monitoring of Federal information systems and strong authentication with Homeland\nSecurity Presidential Directive 12\xe2\x80\x93compliant credentials for logical access control.\n2\n  A 12-consecutive-month period ending on the last day of any month. The Federal Government\xe2\x80\x99s fiscal year begins\non October 1 and ends on September 30.\n3\n  OMB M-08-27, Guidance for Trusted Internet Connection Compliance (Sept. 30, 2008), provides additional\nguidance and clarification to Federal departments and agencies on compliance with the TIC initiative requirements.\n4\n  The Department of Homeland Security, in collaboration with Federal agencies, developed the TIC Reference\nArchitecture v2.0, which introduces new capabilities and clarifies existing mandatory critical capabilities. In\naddition to mandatory critical capabilities, the TIC Reference Architecture v2.0 includes recommended capabilities\nbased on evolving technologies and threats.\n5\n  The National Cyber Protection System (operationally known as Einstein) is a Governmentwide intrusion detection\nsystem deployed at TIC access points.\n                                                                                                          Page 1\n\x0c                                       Full Compliance With Trusted\n                             Internet Connection Requirements Is Progressing;\n                            However, Improvements Would Strengthen Security\n\n\nThe Department of Homeland Security (DHS) has been tasked with managing and overseeing\nthe OMB\xe2\x80\x99s TIC initiative for the Federal Government and ensuring that Federal agencies reduce\ntheir total number of external Internet connections and consolidate them through approved TIC\naccess points.6 The DHS Federal Network Resilience Division\xe2\x80\x99s Cybersecurity Assurance\nBranch annually assesses the state of operational readiness and cybersecurity risk of unclassified\nnetworks and systems across the Federal civilian executive branch. The Cybersecurity\nAssurance Branch is responsible for coordinating annual Cybersecurity Capability Validations7\nusing an objective, repeatable, and consistent validation assessment method to measure the\ndegree of adherence to the TIC initiative and OMB-published Federal cybersecurity\nrequirements.\nThe DHS conducted its most recent annual Cybersecurity Capability Validations on the\nDepartment of the Treasury\xe2\x80\x99s various TICs in February 2013. The Department of the Treasury\nhas implemented seven TICs, three of which were implemented by the Internal Revenue\nService (IRS) at its computing centers in Detroit, Michigan; Memphis, Tennessee; and\nMartinsburg, West Virginia. During its 2013 review, the DHS reported that the Department of\nthe Treasury\xe2\x80\x99s composite score for meeting TIC technological compliance was 92 percent, that it\nhad consolidated 64 percent of its connections, and that it had consolidated 81 percent of its total\nexternal traffic flow through an approved TIC access point.\nThis review was performed with information obtained from the IRS Information Technology\norganization located in New Carrollton, Maryland; Detroit, Michigan; Memphis, Tennessee; and\nMartinsburg, West Virginia, during the period December 2012 through July 2013. We\nconducted this performance audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe that the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objective. Detailed information on our audit\nobjective, scope, and methodology is presented in Appendix I. Major contributors to the report\nare listed in Appendix II.\n\n\n\n\n6\n  As a follow-up, OMB Memorandum M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the\nExecutive Office of the President and the Department of Homeland Security (July 6, 2010), further defined the\nDHS\xe2\x80\x99s responsibility, in coordination with the OMB, to certify and enforce agency implementation of network\nsecurity operational standards and best practices and to ensure that agencies comply with Federal standards and\npolicies.\n7\n  In 2009-2010, the DHS\xe2\x80\x99s Federal Network Resilience Division launched the TIC Cybersecurity Capability\nValidations to assess and report agency compliance with OMB-directed guidance and criteria.\n                                                                                                            Page 2\n\x0c                                       Full Compliance With Trusted\n                             Internet Connection Requirements Is Progressing;\n                            However, Improvements Would Strengthen Security\n\n\n\n\n                                       Results of Review\n\nFull Compliance With Trusted Internet Connection Requirements Is\nProgressing\nAgencies that implement TICs must ensure that each TIC meets the security and technological\ncapabilities specified in the TIC Reference Architecture v2.0 that was issued by the DHS. The\nIRS has progressed steadily towards full compliance with TIC Reference Architecture v2.0\nrequirements in its three TICs, which are located at the IRS computing centers in\nDetroit, Michigan; Memphis, Tennessee; and Martinsburg, West Virginia. In February 2013, the\nDHS conducted a Cybersecurity Capability Validation assessment of two of the IRS TICs,\nlocated at Memphis, Tennessee, and Martinsburg, West Virginia, and reported that each met\n68 (92 percent) of the 74 capabilities required. The TIC capabilities that the IRS had not met\nrelated to requirements for:\n    \xef\x82\xb7    Multi-factor authentication for administrative access to TIC devices.\n    \xef\x82\xb7    Having at least two physically separate points of entry and separate cabling paths to\n         external Internet service providers, rather than a single Internet service provider using a\n         single circuit.\n    \xef\x82\xb7    Filtering inbound traffic to Web servers to protect from attacks.\n    \xef\x82\xb7    Validating domain signatures8 of e-mails received from external institutions, and\n         supporting the domain-level signing of outbound e-mail.\nThe IRS continues to work to address gaps in order to comply with the TIC initiative\xe2\x80\x99s mandated\nrequirements. The IRS has taken steps to correct previous gaps in meeting TIC Reference\nArchitecture v2.0 capabilities, such as implementing external Domain Name System Security\nExtensions9 validation to protect against manipulation of Domain Name System10 data and\ninstalling Einstein probes11 at its TIC access points to comply with intrusion detection standards.\n\n\n8\n  A domain signature is a digital signature added to the header of e-mail messages which allows the recipient of the\nmessage to validate that it is from the actual sender.\n9\n  A technology that protects against attacks that use forged or manipulated Domain Name System data by digitally\n\xe2\x80\x9csigning\xe2\x80\x9d the data to ensure that they are valid.\n10\n   The Domain Name System translates Internet domain and host names to Internet Protocol addresses and\nimplements a distributed database to store this name and address information for all public hosts on the Internet.\n11\n   Intrusion detection sensors that can alert the U.S. Computer Emergency Response Team in real time to the\npresence of a malicious or potentially harmful activity in the Federal network traffic and provide correlation and\nvisualization of the derived data.\n                                                                                                             Page 3\n\x0c                                   Full Compliance With Trusted\n                         Internet Connection Requirements Is Progressing;\n                        However, Improvements Would Strengthen Security\n\n\nIn addition, the IRS has taken appropriate steps to identify all external connections in order to\nensure that those connections which were required to go through a TIC were in fact going\nthrough a TIC.\n\nAdditional Improvements Would Strengthen Security\nAlthough the IRS has made good progress implementing the TIC requirements, our review\nrevealed areas where improvements could strengthen security over the TICs. Specifically, the\nIRS should implement audit logging of administrator activity on TIC equipment to ensure that\naccountability can be established for any actions that are taken. In addition, while the IRS is\nworking towards compliance, actions are still needed to complete TIC requirements related to\nimplementing a Data Loss Prevention (DLP) program and ensuring that the IRS has sufficient\npersonnel in place with the required clearance and the proper locations for handling classified\ninformation. Finally, the IRS must implement regular scanning or other automated checks to\nensure that vulnerabilities or misconfigurations are timely discovered and mitigated on TIC\nequipment.\n\nAudit logging of administrator activity on TIC devices was not occurring\nThe IRS was not capturing audit logs of administrator activity on TIC servers, firewalls, or\nrouters. Because logs were not being captured, activity by administrators on TIC devices was\nnot being reviewed. Audit trails maintain a record of user activity and provide a means to\nestablish individual accountability. TIC specifications require the IRS to maintain the logs\nneeded to establish an audit trail of administrator activity on TIC systems and components. IRS\npolicy requires administrators of IRS systems to ensure that systems are logging in compliance\nwith requirements. In addition, IRS policy requires Information Technology organization\nsecurity specialists to review audit logs at least weekly. Our interviews with the staff within the\nIRS\xe2\x80\x99s Computer Security Incident Response Capability and User and Network Services\norganizations revealed confusion over who had responsibility for capturing and reviewing this\nspecific type of audit log. Without an effective system for the capture and review of\nadministrator activity, accountability for actions taken on TIC equipment cannot be established\nand unauthorized activity may go undetected.\n\nA DLP program was not in place\nThe DLP program is a system that is designed to detect potential data breach transmissions and\nprevent them by monitoring, detecting, and blocking sensitive data while in use (endpoint\nactions), in motion (network traffic), and at rest (data storage). In data loss incidents, sensitive\ndata are disclosed to unauthorized personnel either by malicious intent or inadvertent mistake.\nSuch sensitive data can come in the form of private or company information, intellectual\nproperty, financial or patient information, credit card data, and other information depending on\nthe business and the industry. TIC specifications in accordance with OMB Memorandums\n\n                                                                                              Page 4\n\x0c                                      Full Compliance With Trusted\n                            Internet Connection Requirements Is Progressing;\n                           However, Improvements Would Strengthen Security\n\n\nM-06-16, M-06-19, and M-07-1612 recommend the IRS implement a DLP program for\nsafeguarding Personally Identifiable Information and other sensitive information that is in the\npossession of the Government and preventing its breach.\nAlthough the IRS has a plan in place, it has not yet implemented its DLP program.13 The IRS\nintends to implement a DLP solution that is able to identify, log, track, monitor, alert on, report\non, and protect sensitive agency information and Personally Identifiable Information. The IRS\nhas planned three releases. Release 1 will address data in motion through monitoring data\nmoving across the IRS information technology perimeter and identifying Personally Identifiable\nInformation, specifically Social Security Numbers. Release 2 will address data-at-rest by\ndetecting sensitive data stored on IRS databases or fileservers. Release 3 will address\ndata-in-use by deploying an end-user client that will allow monitoring of data being created or\nmanipulated on user workstations and preventing its distribution, storage, or alteration.\nThe IRS has selected a DLP tool and initiated testing of this tool. However, its deployment that\nwas scheduled for the end of Calendar Year 2013 will not be met due to funding issues. Without\nan effective DLP solution in place, the IRS cannot detect potential data breaches or exfiltration\ntransmissions,14 putting IRS data at risk of unauthorized disclosure and loss.\n\nA sufficient number of operational employees did not have appropriate security\nclearances for handling classified information\nThe IRS currently does not have sufficient personnel in place with the required clearance for\nhandling classified information. TIC specifications require the IRS to have personnel with Top\nSecret Sensitive Compartmented Information clearance. This clearance provides the individual\nwith the authority to report, acknowledge, and initiate actions based on ongoing cyber\ninvestigations, intrusions, incidents, and operations that are classified at the Top Secret Sensitive\nCompartmented Information level with the U.S. Computer Emergency Response Team\n(US-CERT) and other cleared operational cyber components. The intent is to have at least one\nqualified person with this clearance always available (on call, including weekends and holidays)\nto exchange classified communications within two hours. During off hours, TICs may have\nreduced staffing. Network operations center personnel working after hours may need to escalate\nan incident to on-call personnel with Top Secret Sensitive Compartmented Information\nclearance. While some IRS executives have the required clearance, employees at the operational\nlevel who are available to address TIC security issues do not. The IRS had not yet requested the\n\n12\n   OMB M-06-16, Protection of Sensitive Agency Information (June 23, 2006), OMB M-06-19, Reporting Incidents\nInvolving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information\nTechnology Investments (July 6, 2006), and OMB M-07-16, Safeguarding Against and Responding to the Breach of\nPersonally Identifiable Information (May 22, 2007).\n13\n   A prior report, Treasury Inspector General for Tax Administration, Ref. No. 2011-20-012, Additional Security Is\nNeeded for the Taxpayer Secure Email Program (Feb. 2011), recommended that the IRS deploy a data leakage\nprevention system to prevent sensitive data, such as Social Security Numbers, from leaving the IRS domain.\n14\n   The unauthorized transmission of data from a computer to the external world.\n                                                                                                           Page 5\n\x0c                                      Full Compliance With Trusted\n                            Internet Connection Requirements Is Progressing;\n                           However, Improvements Would Strengthen Security\n\n\nsecurity clearances through the Department of the Treasury due to other priorities. Without these\nsecurity clearances at the operational level, the IRS may be unable to receive and react to\nclassified TIC security issues in a timely manner.\n\nSensitive Compartmented Information Facilities were not available for IRS TICs\nThe IRS does not have a Sensitive Compartmented Information Facility (SCIF) at any of its\nthree TIC locations. A SCIF15 is a secured area within a building that is used to process sensitive\ncompartmented information. Sensitive compartmented information is classified secret or top\nsecret information that is derived from intelligence sources, methods, or analytical processes.\nAll sensitive compartmented information must be processed, stored, used, or discussed in an\naccredited SCIF.\nTIC specifications require accredited SCIFs to be maintained within 30 minutes of each TIC\nmanagement location in order for authorized personnel to exchange classified information,\nevaluate the recommendations, initiate the response, and report operational status with the\nUS-CERT within two hours of the notification. For example, the IRS may need to report to or\nreceive from the US-CERT information regarding cyberattacks, threats, or incidents that are\nclassified at the sensitive compartmented information level and must be handled in a properly\nsecured area. While the Department of the Treasury maintains a SCIF at its headquarters\nbuilding located in Washington, D.C., this facility is not within 30 minutes of the IRS TICs. The\nIRS is in the process of implementing this requirement. The IRS indicated that it has\nencountered challenges to implementing SCIFs that include working with the General Services\nAdministration to identify suitable space, selecting a contractor to complete the work, and\nworking with the Department of the Treasury to provide final approval after the construction is\ncomplete. Without fully compliant SCIFs at each TIC location, the IRS may be unable to receive\nand react to top secret security issues in a timely and secure manner.\n\nImplementing required scans can further secure TIC firewalls and routers\nAlthough the IRS has generally configured TIC firewalls and routers securely, we found\ninstances where firewalls or routers were not configured in compliance with required baseline\nconfiguration settings. The IRS was not regularly scanning its TIC firewalls and routers to\nidentify vulnerabilities or misconfigurations. Both TIC specifications and IRS policy require\nthat firewalls and routers be scanned monthly to ensure that vulnerabilities or misconfigurations\nare timely discovered and mitigated.\nWe reviewed all 38 firewalls deployed within IRS\xe2\x80\x99s TIC environments and their related\n66 routers. The firewalls and routers are used to move network traffic between the Internet\n\n\n15\n  Office of the Director of National Intelligence, Intelligence Community Directive Number 705, Sensitive\nCompartmented Information Facilities (May 26, 2010), established the uniform physical and technical requirements\nwith which facilities must comply in order to be accredited as a SCIF.\n                                                                                                        Page 6\n\x0c                                  Full Compliance With Trusted\n                        Internet Connection Requirements Is Progressing;\n                       However, Improvements Would Strengthen Security\n\n\naccess provider and the IRS internal network. We found the following instances of\nnoncompliance.\n   \xef\x82\xb7   Administrator accounts on two of 38 firewalls did not have a password, allowing direct\n       access at the highest privilege without a password. IRS policy requires all systems to\n       have passwords that meet minimum requirements. Administrative accounts without\n       passwords can be accessed by anyone and would provide unrestricted access to everyone\n       on the computer as well as a jumping point to access other systems, increasing the risk of\n       unauthorized access and exposure to sensitive data.\n   \xef\x82\xb7   Administrator passwords on 20 of 66 routers were not securely encrypted within the\n       router configuration files. These routers had the \xe2\x80\x9cenable password\xe2\x80\x9d encryption scheme\n       that the manufacturer had stated in 2008 should no longer be used. Passwords encrypted\n       with the \xe2\x80\x9cenable password\xe2\x80\x9d scheme can readily be decrypted if access was gained to the\n       configuration file or a stored copy of the configuration file. Instead, the manufacturer\n       stated that all passwords on routers should use the \xe2\x80\x9cenable secret\xe2\x80\x9d routine that utilizes a\n       stronger encryption routine. IRS policy requires passwords to be protected through\n       encryption that meets Federal standards when stored or transmitted. Weak encryption of\n       administrator passwords increases the risk of unauthorized access and disclosure of\n       taxpayer data.\n   \xef\x82\xb7   Time zone configurations on two of 66 routers were not properly configured. IRS policy\n       requires that routers be time-synchronized with the IRS\xe2\x80\x99s authoritative time server.\n       Without proper time synchronization, events that occur on these routers may not be\n       accurately time stamped, making it difficult to detect attacks or investigate suspicious\n       user activity.\n   \xef\x82\xb7   The system-use notification/warning banner in use on 10 of 38 firewalls and 52 of\n       66 routers did not meet the IRS-approved notification/warning banner text. IRS policy\n       specifies the approved text that must be displayed before granting access to an IRS\n       system. The warning banner text was modified to include appropriate legal citations in\n       May 2012. Not displaying the approved banner could result in authorized and\n       unauthorized users not being aware that they have accessed a U.S. Government system\n       that requires prior authorization and that they have forfeited their rights to privacy when\n       using the specified system.\n   \xef\x82\xb7   A \xe2\x80\x9cdeny all\xe2\x80\x9d rule is typically placed at the end of each Access Control List to specifically\n       deny traffic that has not been permitted or denied earlier within that Access Control List.\n       On two of 66 routers we reviewed, a \xe2\x80\x9cdeny all\xe2\x80\x9d rule was misplaced in the middle of an\n       Access Control List. This misplacement prevented legitimate traffic from reaching the\n       rule that would have permitted the traffic to transit the router.\nThe IRS informed us that it corrected the misconfigurations on the routers and devices that we\nreported. The lack of regular scanning or other means for automated checks to verify\n\n                                                                                            Page 7\n\x0c                                   Full Compliance With Trusted\n                         Internet Connection Requirements Is Progressing;\n                        However, Improvements Would Strengthen Security\n\n\ncompliance on firewalls and routers led to the incorrect configurations we found. Without\nregular scanning or automated checks, vulnerabilities may not be timely discovered and fixed,\nultimately decreasing the security posture of the IRS network.\n\nOperating systems were outdated on certain TIC servers\nThe IRS has eight TIC servers running outdated versions of the Linux Red Hat operating system.\nIRS policy requires that equipment be maintained at proper configuration baselines. However,\nthe IRS organization responsible for updating these systems did not sufficiently monitor them to\nensure that operating systems were updated in a timely manner. Outdated operating systems\nincrease the risk of attacks that exploit known vulnerabilities, resulting in unauthorized access or\nloss of IRS data.\n\nRecommendations\nThe Chief Technology Officer should ensure that the IRS:\nRecommendation 1: Implements the capture and review of administrator activity on TIC\ndevices, including users accessing these devices, logon and logoff times, and activities conducted\nduring access.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The User and\n       Network Services organization will engage the Cybersecurity Enterprise Security Audit\n       Trail team to facilitate gap analysis of existing Enterprise Security Audit Trail audit and\n       review capabilities and fully implement the capture and review of administrator activity\n       on TIC devices.\nRecommendation 2: Fully implements the selected DLP tool upon successful testing.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\xe2\x80\x99s\n       current implementation of the DLP tool to monitor outbound e-mail and web traffic is\n       scheduled to be completed in December 2014.\nRecommendation 3: Obtains Top Secret Sensitive Compartmented Information clearances\nfor IRS operational employees who can receive and react to classified information on a 24/7\nbasis.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n       Cybersecurity Computer Security Incident Response Center requires access to Top Secret\n       Sensitive Compartmented Information on specific ongoing real-world classified cyber\n       investigations, intrusions, incidents, and operations and will continue to work with the\n       Department of the Treasury to obtain and clear appropriate staff.\n\n\n\n\n                                                                                             Page 8\n\x0c                                 Full Compliance With Trusted\n                       Internet Connection Requirements Is Progressing;\n                      However, Improvements Would Strengthen Security\n\n\nRecommendation 4: Completes implementation of the SCIFs at TIC management locations.\n      Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n      Cybersecurity organization understands the importance of appropriate classified facilities\n      and previously initiated planning and design work with the Real Estate and Facilities\n      Management organization at the two primary IRS Security Operations Centers which also\n      serve as TIC management locations. The Cybersecurity organization will monitor the\n      progress and work with the Real Estate and Facilities Management organization to\n      complete the implementation of the SCIFs at these locations.\nRecommendation 5: Implements vulnerability and configuration management scanning on\nfirewalls and routers and mitigates reported findings.\n      Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The User and\n      Network Services organization will engage the Cybersecurity organization to perform\n      vulnerability scanning on TIC firewalls and routers. Additionally, the User and Network\n      Services organization will verify that all TIC routers, switches, and firewalls are currently\n      reporting to Hewlett Packard Network Automation for biweekly Guidelines, Standards,\n      and Procedures compliance validation checking.\nRecommendation 6: Updates all TIC equipment to the most current operating systems\napproved for use within the IRS.\n      Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS will\n      review TIC inventory and current operating system releases and identify any systems that\n      are not running the current release approved for use within the IRS. Following the\n      review of the systems, the User and Network Services organization will engage the\n      system vendor to analyze TIC components for any known vulnerabilities and recommend\n      updated releases for any systems running outdated software.\n\n\n\n\n                                                                                            Page 9\n\x0c                                  Full Compliance With Trusted\n                        Internet Connection Requirements Is Progressing;\n                       However, Improvements Would Strengthen Security\n\n\n                                                                                   Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of our review was to evaluate the IRS\xe2\x80\x99s three TICs to ensure that the\nconnections complied with the Department of Homeland Security requirements. To accomplish\nthis objective, we:\nI.     Determined the effectiveness of IRS efforts to identify all existing external connections\n       and route those connections through the TICs.\n       A. Assessed whether the IRS is properly applying the definition of \xe2\x80\x9cexternal connection\xe2\x80\x9d\n          in accordance with the TIC Reference Architecture v2.0.\n       B. Assessed whether the IRS effectively identified all of its external connections.\n       C. Determined whether any criteria exist that allows certain external connections to not\n          go through a TIC.\nII.    Determined the effectiveness of IRS efforts to comply with TIC Reference Architecture\n       v2.0 requirements as well as selected security controls protecting the TICs.\n       A. Identified Federal requirements for implementation and configuration of each TIC\n          component.\n       B. Reviewed the Cybersecurity Capability Validation Report issued by the DHS in\n          March 2013 that provided an assessment of TIC compliance for two of the IRS TICs.\n          We did not verify or validate the reported results.\n       C. Determined the effectiveness of security controls over TIC components.\n          1. Verified whether operating systems had been properly updated.\n          2. Verified whether access controls were in place.\n          3. Verified whether audit trails were captured and reviewed.\n          4. Reviewed all 38 TIC firewalls and their 66 related routers to verify whether they\n             were properly configured. Because scanning reports were generally not available,\n             we extracted and reviewed configuration files directly from the firewalls and\n             routers.\n\n\n\n\n                                                                                             Page 10\n\x0c                                      Full Compliance With Trusted\n                            Internet Connection Requirements Is Progressing;\n                           However, Improvements Would Strengthen Security\n\n\n             5. Verified whether Domain Name System Security Extensions1 was in place.\n             6. Verified whether a network intrusion detection system was in place and reports\n                and logs were reviewed.\n             7. Determined whether a DLP program was in place.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: IRS policies and procedures for the\nidentification and control of external network connections and for ensuring required security\ncontrols are implemented on TIC equipment. We evaluated these controls by reviewing IRS,\nDHS, and OMB policies; interviewing IRS personnel; and reviewing IRS TIC documentation\nand device configurations.\n\n\n\n\n1\n A technology that protects against attacks that use forged or manipulated Domain Name System data by digitally\n\xe2\x80\x9csigning\xe2\x80\x9d the data to ensure that they are valid.\n                                                                                                        Page 11\n\x0c                                 Full Compliance With Trusted\n                       Internet Connection Requirements Is Progressing;\n                      However, Improvements Would Strengthen Security\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nJody Kitazono, Audit Manager\nBret Hunter, Senior Auditor\nSam Mettauer, Information Technology Specialist\nLarry Reimer, Information Technology Specialist\n\n\n\n\n                                                                                     Page 12\n\x0c                                Full Compliance With Trusted\n                      Internet Connection Requirements Is Progressing;\n                     However, Improvements Would Strengthen Security\n\n\n                                                                            Appendix III\n\n                        Report Distribution List\n\nActing Commissioner\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nOffice of the Deputy Commissioner for Services and Enforcement SE\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nAssociate Chief Information Officer, User and Network Services OS:CTO:UNS\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                                  Page 13\n\x0c                  Full Compliance With Trusted\n        Internet Connection Requirements Is Progressing;\n       However, Improvements Would Strengthen Security\n\n\n                                                  Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 14\n\x0c           Full Compliance With Trusted\n Internet Connection Requirements Is Progressing;\nHowever, Improvements Would Strengthen Security\n\n\n\n\n                                                    Page 15\n\x0c           Full Compliance With Trusted\n Internet Connection Requirements Is Progressing;\nHowever, Improvements Would Strengthen Security\n\n\n\n\n                                                    Page 16\n\x0c           Full Compliance With Trusted\n Internet Connection Requirements Is Progressing;\nHowever, Improvements Would Strengthen Security\n\n\n\n\n                                                    Page 17\n\x0c'